- How to stream Liverpool vs. Chelsea Friday 6:45 PM
- How to stream Real Madrid vs. Sevilla Friday 6:35 PM
- How to stream Peter ‘Kid Chocolate’ Quillin vs. Alfredo Angulo Friday 5:16 PM
- How to stream Barcelona vs. Granada Friday 4:50 PM
- ‘Atlantics’ tells a ghost story steeped with emotion and realism Friday 4:16 PM
- ‘Jojo Rabbit’ is a sweet, singular movie that loses its grip on satire Friday 3:40 PM
- Jordan Peterson is in rehab for Klonopin addiction Friday 3:34 PM
- The cat-worshipping turkey cult video, explained Friday 3:22 PM
- Despite legal threats and drama, the Area 51 desert event is on Friday 3:05 PM
- How to stream Yair Rodriguez vs. Jeremy Stephens on UFC Fight Night Friday 3:00 PM
- Twitter just launched its ‘Hide Replies’ feature Friday 1:59 PM
- How to turn off image metadata before it snitches on you Friday 1:36 PM
- The ‘Breaking Bad’ movie is coming to theaters—for one weekend only Friday 1:04 PM
- Teens recorded, shared videos of mall fight that ended in fatal stabbing Friday 12:44 PM
- How to stream Giants vs. Buccaneers in Week 3 Friday 12:31 PM
Security researcher publishes 10 million passwords despite fear of FBI
This is the state of cybersecurity research now.
For whatever reason, people on the Internet still have trouble creating secure passwords. To better understand how and why people choose the passwords and usernames they do, one security researcher is releasing a massive trove of data in an effort to improve password security.
Mark Burnett released 10 million passwords on Monday. He collected the data from publicly available datasets leaked in the last decade by blackhat attackers. Burnett removed the identifying factors such as the domain portion of the email address.
He believes the combinations are “dead passwords,” meaning they are effectively useless to hackers or anyone trying to use them for fraudulent purposes.
Although Burnett collected and released this data exclusively for research purposes to better understand human behavior, he couched the release heavily, writing at length about why he shouldn’t be arrested by the FBI.
Burnett’s concerns stem from the aggressive prosecution of journalist Barrett Brown, who was charged with, among other things, sharing a link to data that included email addresses and credit card information. Brown’s arrest and prosecution led some journalists, activists, and security researchers to step down from their posts for fear of arrest based on similar charges.
Additionally, the Obama administration has proposed changes to the Computer Fraud and Abuse Act, which for now protects the release of data like the 10 million passwords Burnett posted this week, thanks to the researcher’s purpose of doing so without the intent to cause harm. If the changes are implemented, however, it could cause further problems for journalists and security researchers.
For now the laws are on my side because there has to be intent to commit or facilitate a crime. However, the White House has proposed some disturbing changes to the Computer Fraud and Abuse act that will make things much worse. Of particular note is 18 U.S.C. § 1030. (a)(6):
(6) knowingly and
with intent to defraudwillfully traffics (as defined in section 1029) in any password or similar information, or any other means of access, knowing or having reason to know that a protected computer would be accessed or damaged without authorization in a manner prohibited by this section as the result of such trafficking;
By removing “intent to defraud,” the government would make it much easier to prosecute people that share information like the passwords Burnett released. Even data shared for educational purposes.
For now, Burnett seems to be in the clear. One programmer has already made a Twitter bot to tweet out the combinations.
You shouldn’t be concerned whether your old username or password is on this list. Malicious attackers will be unable to do anything with it. But you should be concerned by the chilling effects placed on people like Burnett, in the wake of increased cybersecurity scrutiny and persecution.
For now, at least, researchers can better understand what makes us pick certain passwords thanks to this data—and try and make the Internet a little more secure.
Photo and illustration by Max Fleishman
Selena Larson is a technology reporter based in San Francisco who writes about the intersection of technology and culture. Her work explores new technologies and the way they impact industries, human behavior, and security and privacy. Since leaving the Daily Dot, she's reported for CNN Money and done technical writing for cybersecurity firm Dragos.